May MSRT by the numbers

May MSRT by the numbers

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

Top 25 detections by MSRT, May 10 – May 20

Family

Machine Count

Note

Sality

202,351

Classic parasitic virus

Taterf

77,236

Worm

Rimecud

65,149

Worm

Vobfus

59,918

Worm

Alureon

58,884

Evolvedparasitic virus

Parite

53,778

Evolvedparasitic virus

Ramnit

52,549

Evolvedparasitic virus

Brontok

50,392

Worm

Cycbot

50,209

Trojan

Conficker

49,173

Worm

Renocide

48,395

Worm

Bubnix

45,712

Trojan

FakeRean

40,695

Rogue

Zbot

40,087

Trojan

Bancos

39,452

Trojan

Frethog

33,100

Evolvedparasitic virus

Banker

31,675

Trojan

Jeefo

22,396

Classic parasitic virus

Renos

21,858

Trojan

Lethic

21,521

Trojan

Cutwail

21,222

Trojan

Virut

20,963

Classic parasitic virus

Hamweq

17,102

Worm

FakeVimes

14,899

Rogue

Hupigon

14,553

Trojan

You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an “evolved” virus – as described in Scott’s previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.

Allow me to go ‘back to the book’ for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of ‘old school’ malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.

With today’s malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).

There are several possible explanations:

Malware authors know that anti-malware industry is targeting them; viruses can sometimes require more effort to detect and clean properly, possibly causing security companies to invest more resources in the remediation of the threat.

Current threats tend to have multiple components. For example, Ramnit authors wrote worm modules to help propagate via USB and network drives, using Autorun

While some file infector viruses such as Sality, Jeefo and Virut are traditional, many other file infectors are not. For example Alureon and Cutwail will only infect system files or system drivers (e.g. “atapi.sys” or “agp440.sys”). If a system file is infected and becomes hidden, the job of the file infecting component is done, while the other malicious components may continue to execute the payload.

Parasite viruses are not going away, they are still relevant and evolving. Our newly published Microsoft Security Intelligence Report shows the steady presence of viruses as a threat category.